This is one of the phenomena that security agencies were aware of for a long time and has now become a critical priority for regulators and policymakers.
In regards to this, Paul Warren-Tape, Head of Operations for ID verification leader OCR Labs Pty Ltd. says, “Looking at the Optus attack, this was a big concern because fraudsters were using stolen PII (personally identifiable information) to try and commit identity crime […] We need to understand why a telco stores copies of people’s identity documents in the first place, as to provide ongoing services they only need to know a person’s name, address and their contact details.” Warren-Take further notes that the Medibank breach is also “deeply concerning.”
“The concerns relate to organizations not having a clear understanding of their complete data footprint, including: what do they hold, should they even be holding that information, where is it held and who else is holding it, is it all secure?”
According to Warren-Take, every organization, specifically the ones at the top of the markets, is starting to consider what is the bare minimum of the data they should retain after confirming a person’s identity. “They’ve obviously got regulatory requirements to verify the identity of their customers. And I think they’re subsequently holding on to copies of identity documents to demonstrate they’ve performed an identity check for audit and regulatory compliance purposes.”
“And another reason is because prior to the raft of breaches information has been perceived as wealth, not risk,” he further told. “But holding that information opens them up to be honeypots for certain attacks, and health insurance companies may not be as well versed about cyber risks as, say, the banks are.”
Moreover, Warren-Tape notes that banks in Australia have a higher security posture, are more experienced and cyber-aware but cannot rest on their laurels, as the threat landscape is continually evolving.